What is personally identifiable information (PII)?
Personally identifiable information (PII) is any data that could potentially identify a specific individual.
Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.
PII may be used alone or in tandem with other relevant data to identify an individual and may incorporate direct identifiers, such as passport information, that can identify a person uniquely or quasi-identifiers, such as race, that can be combined with other quasi-identifiers, like date of birth, to successfully recognize an individual.
Why does PII need to be secured?
Protecting PII is essential for personal privacy, data privacy, data protection, information privacy and information security. With just a few bits of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal.
As individuals' personal data is recorded, tracked and used daily -- such as in biometric scans with fingerprints and facial recognition systems used to unlock devices -- it is increasingly essential to protect individuals' identity and any pieces of identifying information unique to them.
What is considered PII?
Any information that can uniquely identify people as individuals, separate from all others, is PII. It may include the following:
- telephone number
- date of birth
- passport number
- driver's license number
- credit or debit card number
- Social Security number
Definitions for PII vary. According to the U.S. General Services Administration (GSA), "The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available -- in any medium and from any source -- that, when combined with other available information, could be used to identify an individual."
Although the legal definition of PII may vary from jurisdiction to jurisdiction and state to state, the term typically refers to information that can be used to distinguish or trace an individual's identity, either by itself or in combination with other personal or identifying information that is linked or linkable to an individual.
The Department of Energy (DOE) defines PII as follows: "Any information collected or maintained by the department about an individual, including but not limited to education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mother's maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual."
This information includes more examples of what can be considered PPI and can be more sensitive depending on the degree of harm, embarrassment or inconvenience it will cause an individual or organization "if that information is lost, compromised or disclosed," according to the DOE.
Sensitive vs. nonsensitive PII
PII can be labeled sensitive or nonsensitive. Nonsensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Nonsensitive PII can be easily gathered from public records, phone books, corporate directories and websites. This might include information such as zip code, race, gender, date of birth and religion -- information that, by itself, could not be used to discern an individual's identity.
Sensitive PII is information that, when disclosed, could result in harm to the individual if a data breach occurs. This type of sensitive data often has legal, contractual or ethical requirements for restricted disclosure.
Sensitive PII should therefore been crypted in transit and when data is at rest. Such information includes biometric data, medical information covered by Health Insurance Portability and Accountability Act (HIPAA) laws, personally identifiable financial information (PIFI) and unique identifiers, such as passport or Social Security numbers.
Employee personnel records; tax information, including Social Security numbers and Employer Identification Numbers (EINs); password information; credit card numbers; bank accounts; electronic and digital account information, such as email addresses and internet account numbers; and school identification numbers and records are also on the list of sensitive PII.
How is PII used in identity theft?
A number of retailers, health-related organizations, financial institutions -- including banks and credit reporting agencies -- and federal agencies, such as the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), have experienced data breaches that put individuals' PII at risk, leaving them potentially vulnerable to identity theft.
The kind of information identity thieves are after will change depending on what cybercriminals are trying to gain. By hacking and accessing computers and other digital files, they can open bank accounts or file fraudulent claims with the right stolen information.
In some cases, criminals can open accounts with just an email address. Others require a name, address, date of birth, Social Security number and more information. Some accounts can even be opened over the phone or on the internet.
Additionally, physical files -- such as bills, receipts, a physical copy of birth certificates, Social Security cards or lease information -- can be stolen if an individual's home is broken into. Thieves can sell PII for a significant profit. Criminals may use victims' information without their realizing it. While thieves may not use victims' credit cards, they may open new, separate accounts using their victims' information.
PII laws and regulations
As the amount of structured and unstructured data available keeps mushrooming, the number of data breaches and cyberattacks by actors who realize the value of PII continues to climb. As a result, concerns have been raised over how public and private organizations handle sensitive information.
Government agencies and other organizations must have strict policies about collecting PII through the web, customer surveys or user research. Regulatory bodies are hammering out new laws to protect consumer data, while users are looking for more anonymous ways to stay digital.
The European Union's (EU) General Data Protection Regulation (GDPR) is one of a growing number of regulations and privacy laws that affect how organizations conduct business. GDPR, which applies to any organization that collects PII from citizens in the EU, has become a de facto standard worldwide. GDPR holds these organizations fully accountable for protecting PII data, no matter where they might be headquartered.
PII security best practices
As organizations continuously collect, store and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable. Predictive analytics and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules.
Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA).
Other recommendations for protecting PII are:
- encouraging employees to practice good data backup procedures;
- safely destroying or removing old media with sensitive data;
- installing software, application and mobile updates;
- using secure wireless networks, rather than public Wi-Fi; and
- using virtual private networks (VPNs).
To protect PII, individuals should:
- limit what they share on social media;
- shred important documents before discarding them;
- be aware to whom they give their Social Security numbers; and
- keep their Social Security cards in a safe place.
Individuals should also make sure to make online purchases or browse financials on secure HTTP Secure (HTTPS) sites; watch out for shoulder surfing, tailgating or dumpster diving; be careful about uploading sensitive documents to the cloud; and lock devices when not in use.
PII vs. PHI
Protected health information (PHI) includes information used in a medical context that can identify patients, such as name, address, birthday, credit card number, driver's license and medical records.
Whether companies handle PII or PHI, they should employ records management programs to gain better control of their data by moving it to more intense document management systems and repositories or by disposing of content that's no longer required.
In the U.S., PHI is subject to strict confidentiality and disclosure requirements that don't apply to most other industries. While protecting PHI is always legally required, protecting PII is mandated only in some instances. Under HIPAA and revisions to HIPAA made in 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities -- such as healthcare providers, insurers and their business associates -- are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide PHI to patients if requested, preferably in an electronic PHI (ePHI) format.
PHI is useful to patients and health professionals; it is also valuable to clinical and scientific researchers when anonymized. However, for hackers, PHI offers a wealth of personal consumer information that, when stolen, can be sold elsewhere or even held hostage through ransomware until the victimized healthcare organization sends a payoff.